There are three commonly-used standards of Wi-Fi AP security in the world today. The best known, Wired Equivalent Privacy (WEP), is readily vulnerable to exploits and must not be trusted except for the flimsiest of protection. WEP is widely considered to be a trivial barrier to even barely competent hackers, and to afford only a bare minimum of protection on its own.

Wi-Fi Protected Access (WPA) was developed as an intermediate solution to the revelation that WEP’s encryption had been highly compromised. The second generation of WPA security is called WPA2, and this is the current state of the art. WPA2 delivers (to date) very good encryption and protection against eavesdropping. WPA2 Personal provides strong encryption and uses Temporal Key Integrity Protocol (TKIP), which dynamically encrypts the key used for authentication. WPA2 Enterprise uses an authentication server to authenticate users.

Until recently, implementing WPA and WPA2 was something of a hassle; if you’ve been wireless for some time now, and still have Wireless B Cards (see sidebar), you’ll have challenges using WPA. If you have fairly new equipment, such as an Intel Centrino notebook, you’ll be able to use at least WPA if not WPA2.

Also in this series…
A proposal for Reasonable Wireless Security for law firms

A sample network access policy

Wifi encryption standards

“There’s nothing on my desk worth stealing”

…and free hotspots for all

Imagine you’re a telecom, and you wake up this sunny Friday to realize it’s not a dream, you really did just pay £8 billion for two German third-generation mobile license blocks. Yes, you paid much more than you wanted for fewer license blocks than you’d hoped. And when your friends ask you what, specifically, you will do with this license, you can’t answer.

If you think you hear laughing, it’s probably coming from Denmark.

“We were all laughing about this just yesterday,” said Soren Jessen Nielsen, head of strategic business development in Europe for BlueKite, which just closed a $36 million round of funding from a VC group headed by Texas Pacific Group and including Credit Suisse First Boston. The investors purchased a 21 percent stake in BlueKite, which develops proprietary bandwidth optimizing technologies and a software platform aimed at increasing network capacity and Internet access speeds for fixed and mobile networks.

“Bandwidth is finite; it’s absolute,” said Nielson, who scoffs at UMTS hype. “A 2MB line into a PDA? Please. When UMTS comes, no one has any idea what they’re going to do with it. But I’ll tell you, whatever they (the telcos) do, they’re going to run into the same bandwidth problems and capacity issues that you have with GSM and Edge. You ain’t gonna have multimedia while traveling on a train, forget that one – that’s marketing hype.”

But whether BlueKite believes the UMTS dream or not, it’s hoping to profit from it. The San Francisco-based company, with roots in Copenhagen, may be one example of how startups in Europe can benefit from the trucks full of money being thrown at UMTS. Whether you believe UMTS is the Great White Hope or a Big Fat Joke, one thing European VCs seem to agree on is that companies developing applications for next-generation mobile networks are worth funding. With telcos around Europe set to pay up to $200 billion for licenses, they may have little money left to develop their own applications to run on these networks. Enter wireless communications, software and technology startups.

“There is a ton of work to be done to create these UMTS-based applications, and this is an area where small companies are really needed, and where they can do a good job,” said Peter Dietz, managing director of TakeOff VC Management. He believes the UMTS bidding war will cause larger companies to leave to small companies the work of making the applications that will make UMTS sexy. “I can’t name names at the moment, but we have already been discussing this with two of the German companies in our portfolio; one is something of a cross between an IT service and a multimedia agency, and the other is a pure software development company.”

Kim Bach, vice president at 2m Invest in Copenhagen added: “This is a perfect example of the “Tornado effect.’ There’s so much money being spent in this area that it’s impossible to imagine it won’t have a positive effect on the small suppliers.”

Bach has seen this market development coming for a long while. 2m has been sinking money into the organization that is now BlueKite since 1993, when it was called RadioMail, and it had teamed up with Motorola to make Newton-like handheld devices.

“We really knew the idea of wireless computers was the way to go in the future, but we were out,well, let’s say a bit too early,” Bach said. “But we were sure this technology would have to have a breakthrough sometime, so we kept feeding what would become BlueKite until a couple of years ago when they really took off.”

BlueKite’s reincarnation about two-and-a-half years ago, headed up by CEO David Cox, was funded by $1 million in seed money from 2m, which owns 41.6 percent of the company. BlueKite started with offices in Silicon Valley, but fleeing high prices and labor costs, it moved it kept its administration in San Francisco, but moved research and development to Los Angeles. In the last year, the company has grown from 10 employees to more than 70, and has offices in Copenhagen, London, Frankfurt, Amsterdam and Paris.

2m invested an additional $3 million last year. BlueKite’s aim is to develop technologies that better manage bandwidth and compress data, but still utilize existing infrastructure. For example, on a standard ISDN line, BlueKite technology can determine, on an ongoing basis, whether a given user needs two or three channels, or just to keep one open on an idle mode.

In fact, BlueKite already offers a technology that allows ISDN-speed data transfer rates over existing wireless networks for companies including British Telecom, Swisscom and Telecell Portugal, as well as Connect Austria.

“We looked at everyone offering solutions to bring high-speed mobile data transfer,” said Lars Reichelt, currently COO of Connect Austria and soon to be director of wireless for Europe at Yahoo. “When we finished, BlueKite came up by far the best,” even with competitors including Nokia and Ericsson offering similar products. “This is a great tool, and it makes the workplace truly mobile. You don’t have to worry about fumbling around looking for a proper phone plug – in Austria there are seven approved types of phone plugs. It costs 3 shillings ($0.20) a minute, and you can work while others watch in wonder.”

BlueKite may well be poised for growth during the development of the so-called mobile future, but it won’t be alone for long. Software companies are desperately needed to build the very applications that will make UMTS profitable, and most startups aren’t clueless to the trend. Some industry estimates put the number of WAP development companies at over 600 in Europe alone, and VCs are desperately trying to plunk their cash into the right wireless companies. Yesterday, every VC wanted a dot.com in its portfolio, now they want wireless startups.

“This (the development of UMTS) creates opportunities for smaller companies,” said Stephan Uhlmann at Deutsche Venture Capital Gesellschaft. “There’s a great opportunity here for developers of applications that will bring products to end users via UMTS.”

It’s just past 8.30 am on a busy Tuesday. A five-person legal team
has just arrived to work with your firm on that big case. For the
next four days, these five lawyers will be camped in your conference
room. And their first question is, “How do we get Internet
access?”

[Ian Sacklow co-wrote this white paper]

At
many small and mid-sized firms in the US, the answer is increasingly,
“We’ve got Wi-Fi¹.”
A Wi-Fi Access Point (WAP) allows your computer or personal digital
assistant (PDA) to connect to the Internet, or a computer network, at
high speed, without wires (see sidebar).

Wi-Fi lets your clients use the Internet or access their corporate
network. It allows your partners, associates and interns access to
the web and your Local Area Network (LAN) from the library or
lunchroom – or the coffee shop across the street.

In
the immediate future, lack of a Wi-Fi connection to the Internet will
be as disruptive to a law firm as the lack of an Internet connection,
or a mobile phone.

As
we adopt new technologies, no matter how revolutionary or wonderful
they may be, we must not be reluctant to address their
vulnerabilities. An improperly or incompletely configured WAP has
vulnerabilities. Fortunately, there
are inexpensive and easy-to-employ safeguards against many of them.

Executive Summary
This article is intended to provide attorneys and support staff with
an overview of Wi-Fi, and the challenges they face as they maintain
the confidentiality of client documents and information in a wireless
network setting. This article proposes a standard comprising the
steps which law firms should take to reasonably prevent intrusion
into their LAN via their WAP, and thereby protect the confidentiality
of their clients’ information.

The
article is geared towards those in the many law firms which don’t
have full time Information Technology (IT) departments, or formal
computer training. The steps suggested do not provide a guarantee
against unauthorized intrusion. They do provide a reasonable amount
of security at reasonable expense².

When
it comes to a lawyer’s duties to maintain confidentiality, I’ve been
told there has been no landmark ruling about what are reasonable
measures to protect client data across a WAP. A poorly configured WAP
can expose your clients’ confidential information. Unless you wish to
be the test case to establish that standard, you should establish and
maintain reasonable levels of security when deploying a WAP.

It
is submitted that the steps I propose are reasonable, and it is hoped
that they would therefore be adopted as a standard to be followed and
provide a safe harbor for law firms seeking to protect the
confidentiality of client information in a wireless network setting.

The proposed standard includes four steps to protect and encrypt the
traffic on the WAP. Any WAP not so protected shall be considered to
be an “Open WAP.”

The
proposed standard also includes a written security policy covering:

• WAPs in the office
• WAPs at the homes of those with remote-access authorization to the
  firm’s local area network
• Computers which contain client data and access publicly-accessible
  WAPs (at coffee bars, airports, Bar Association Libraries, airports,
  etc.)

Wi-Fi: An Indispensable Tool

• Wi-Fi is everywhere, and it’s no fad.

There were more than 10 million WAPs in US homes by the end of 2004, with an expected 14 million by the end of 2005.

At coffee bars, restaurants and offices throughout the world, you’ll see people working on Wi-Fi-enabled devices like notebook computers. Publicly-accessible WAPs, known as Hotspots,
are provided in scores of cities to
encourage Internet use. Many Hotspots provide the Internet access at no cost, to encourage foot traffic.

Other Hotspots, such as those at most Starbucks, Barnes and Noble,
Borders and Kinkos locations, charge access fees for Wi-Fi – about
$1.30 a day for a monthly subscription.

WAP Overview

• The vast difference between connecting via Wi-Fi to the Internet, and connecting via Wi-Fi to your LAN is an important distinction.

Components
comprising a Wi-Fi network work in much the same way as
walkie-talkies and a base station. When you set up a WAP (sometimes
also referred to as a, “Wireless Router”), you are broadcasting a
radio signal to the area within a radius of up to 300³
feet from the WAP. By default, anyone with a mobile device equipped
with a Wi-Fi transceiver (“Wi-Fi Adapter”) can detect this
signal and request a connection. When the WAP recognizes the request,
by default it assigns to the requesting device a unique identifier
(an “IP Address”) which permits the WAP and mobile device to
communicate. Once this connection has been made, the mobile device is
granted access to the network to which the WAP is connected.

Most
people connect the WAP to a high-speed Internet connection. Once a
mobile device is connected to such a WAP that device can access the
Internet.

Some
people also connect the WAP to their Local Area Network (LAN). Your
LAN is the network of computers which contain your data and client
information. LAN access must be protected by a firewall, which
prevents unauthorized communications originating outside the LAN from
getting in.

For
reasons which will be made clear below, I highly recommend that
anyone accessing your LAN from anywhere outside the firewall –
be it through your WAP, their home computer or network (wired or
wireless) or a public Hotspot – do so through a Virtual Private
Network (VPN). A VPN creates a “tunnel” through which your
data is transported, crytographically encrypted, through the firewall
and on to the LAN.

VPNs are the number one thing people should be doing. A VPN lets trusted⁴ users be as productive as possible. Even if an unauthorized user gets
on to your WAP, you can keep him locked out of your LAN.

The
proposed standard therefore requires you place the WAP outside
your firm’s firewall. By creating a “demilitarized zone”
(DMZ) which is inside the WAP but outside the firewall, you grant
wireless Internet access via your WAP, while only Trusted users may
access the LAN, through the VPN.

Unless you intend to offer public Internet access (which you might,
see below), then you must also protect your WAP with encryption and
an authentication scheme, which requires user name and password, to
help keep unauthorized users out. While less important than
protecting your LAN, protecting your WAP from just anyone getting
Internet access can be important as well (see sidebar).

What’s
Your Responsibility?

• Connecting an Open WAP to your firm’s LAN is literally as unsafe
  as placing your client files in an unlocked file cabinet in the
  center of a city street.

Lawyers in New York State mustn’t knowingly “… reveal a confidence or secret of a client”, and “…shall exercise reasonable care to
prevent … employees, associates, and others whose services are utilized by the lawyer from disclosing or using confidences or secrets of a client.”⁵

An
Open WAP is a Hotspot – a publicly shared computer network open to
anyone, anywhere within 300 feet. In 2001, the DC Legal
Ethics Committee stated it is “…impermissible for unaffiliated
attorneys to have unrestricted access to each other’s electronic
files (including e-mails and word processing documents) and other
client records. If separate computer systems are not utilized, each
attorney’s confidential client information should be protected in a
way that guards against unauthorized access and preserves client
confidences and secrets.”⁶

The Delaware Bar opined that client confidentiality is
broken when a lawyer, “should reasonably anticipate the
possibility that his or her communication could be intercepted and
confidences disclosed.”⁷

An
irate client whose opponent became aware of embarrassing information
via such an interception might well make the argument that
maintaining an Open WAP doesn’t protect his data in a way that guards
against unauthorized access and preserves client confidences and
secrets.

Protecting
the confidentiality of client information on an Open WAP is
impossible. Cheap and simple steps can solve this problem.

Criminal Liability of Accessing a ‘Public’ Hotspot

• You
  cannot rely on existing laws to prosecute “unauthorized” WAP
  access. It is difficult to determine how a user becomes authorized
  to access a WAP, and there’s no common mechanism by which to post a
  notice that he is not.

In
early July, 2005, police in St Petersburg, FL, arrested Benjamin Smith III
for accessing a residential WAP and connecting to the Internet –
from his car. Smith was charged with unauthorized access to a
computer network.

He
might get off. Who’s to say it was unreasonable for Smith to assume
what he did was Kosher? The WAP he used was wide open. With the
proliferation of Hotspots,
who can say whether a person can reasonably infer an Open WAP is
intended for public use?

Under
current New York law, it is illegal to intentionally access someone
else’s computer, computer network or equipment without authorization
to do so where such computer or equipment, “…is equipped or
programmed with any device or coding system, a function of which is
to prevent the unauthorized use of said computer or computer
system.”⁸.

The
New York Penal Law also attempts to define “authorization”
by providing that to establish authorization, one must be either

(i)
give actual notice in writing or orally to the user;

(ii)
prominently post written notice adjacent to the computer being
utilized; or

(iii)
a notice that is displayed on, printed out on or announced by the
computer being utilized by the user⁹.

Significantly,
the Penal Law also provides for a presumption that notice of such
authorization is given where, “the computer is programmed to
automatically display, print or announce such notice ….”¹⁰

Scott R. Almas, who was instrumental in developing the business and
technology model to implement many of the Hotspots throughout
downtown Albany, New York, is a technology attorney at the law
firm of Lemery Greisler LLC. While Almas does not endorse the
unauthorized use of open WAPs, he points out significant problems
with New York’s law when viewed against the practical reality of the
proliferation of Open WAPs.

“I
am particularly troubled,” Almas said, “by how a user is supposed
to know whether or not the owner of the Open WAP is authorizing use
of the access point where the owner broadcasts to the world the
presence of the access point and takes no steps to secure it. By the
very nature of WAPs, there is no reasonable way to post or provide
oral notice, and it can be difficult to interpret from the
broadcasted name of the access point whether authorization is
intended.”

“In light of the fact that protecting the WAP is free, simple to do, and
strongly recommended by the access point manufacturers during the set
up process,” Almas said, “I believe anyone who sets up a
WAP and does not follow the advice to install even the most basic,
minimal safeguards should be presumed to be providing authorization
to access the Open AP for otherwise lawful Internet use.”

“The presumption should not,” adds Almas “extend to authority to access information on the WAP owner’s LAN, or other illegal or
harmful activities.”

Oops. Was That Your WAP?

<li><p>
<strong>If
a mobile device automatically seeks and connects to a WAP, then
accessing an Open WAP needn't even be intentional. </strong>
</li>

Most
new notebook computers ship with the Microsoft Windows XP or
Macintosh OSX operating systems, and are equipped with internal
wireless adapters (see sidebar). If the wireless adapter is switched
on, the notebook will seek, and attempt to connect with, WAPs – even
before the screen comes to life.

People set their notebooks to connect to any available network, so
the onus is on the owner of the WAP. I would think that if your WAP offers credentials to enter – such as an IP address – a user might reasonably think that they’ve been granted access to your WAP.

And New York Penal Law Section 156.50 provides a defense for persons who
had reasonable grounds to believe that they had authorization to use
the computer. Therefore, unfortunately, the issue will likely be left
for the Courts to decide whether such a presumption exists and is
applicable in any given case.

Attorneys
and the public must properly frame these issues and arguments, so
that the Courts can properly interpret and apply the law.

Determine
Your Needs

<li>
<strong>You can protect your LAN while providing public access to your
WAP and the Internet - so long as you configure your WAP properly</strong></li>

Lemery Greisler, Almas’ Albany, New York law firm, provides a Hotspot
to afford anyone in the area free access to the Internet. By giving
pedestrians a good reason to mill about, this is a fine goodwill
gesture towards local businesses at low cost.

That’s
a perfectly reasonable thing to do, so long as you reasonably ensure (as did Lemery Greisler) that it is difficult for strangers to
access your LAN from the Hotspot. They placed the Hotspot outside
their firm’s firewall, thereby providing a public service at little
risk to their own network.

It’s
important that you, too, determine what you want your WAP to do, and
deploy it properly.

Don’t Panic … But Set A Policy

<li>
<strong>A clearly communicated and strongly enforced written policy
governing remote network access is essential. </strong>
</li>

A
written wireless data security policy is vital in any environment; in
a law firm, the lack of one could be expensive, embarrassing and
time-consuming. It could create civil liability – and even criminal
liability (see sidebar) – for the firm.

All
people in the firm must be made aware of the policy, not matter their
position: it does you no good to take steps to increase security if
your receptionist or even a junior associate tells a caller
information about your WAP and network. This happens far more often
than you’d think. Specifics on what the policy should cover are
listed below, within the proposed standard.

Everybody’s Not Doing It

<li>
If you haven't
locked down your firm's WAP, you're not alone. This problem is
widespread and international.</strong> 
</li>

In March, 2005, data
protection company RSA Security reported that a survey it
commissioned from netSurity found more than one third of wireless
business networks in four major cities were unsecured – 38% of
businesses in New York, 35% in San Francisco, 36% in London and 34%
in Frankfurt.

Those numbers are about
right – a safe, if not conservative, figure. It’s analagous to a car, which comes with locks built right in to the doors, but it’s up to you to depress the lock button.

From Elite Geeks to An Unruly Mob

<li>
One no longer
needs to be a gifted programmer to be a successful intruder.</strong></li>

Cracking WEP, the lowest form of Wi-Fi encryption, is increasingly trivial
(see sidebar), and attorneys must never entrust WEP – no
matter how large the bit-size – to be the sole means of protecting
a LAN.

The popular image of a “Hacker,” as a young, pale-skinned
male perched behind a complex computer using arcane tools to
penetrate computer systems is dated.

Hacking, password- and encryption-breaking tools have become
ubiquitous, sophisticated, simple to use and are totally free to
download from the Internet.

PROPOSED
STANDARD

A
determined intruder with the right tools will get in no matter what
you do – nothing offers 100% security or guarantees, but you
should employ the best security you can install and maintain without
unreasonably disrupting productivity. Take all reasonable steps to
secure client information on your LAN with a well-configured
firewall.

If
you merely wish to allow Trusted users wireless Internet access,
securing your WAP can likely be done by Dan – that geeky intern who
likes Star Trek. It can take as little as 15 minutes, and can
cost nothing: if you’ve got a WAP, you’ve almost certainly got the
hardware needed (and if you don’t, you can spend as little as $40 to
get it).

If
you wish to allow the WAP to also grant LAN access, and you don’t
have an IT person in-house, you might buy a combination VPN/WAP for
as little as $149 (see sidebar). Otherwise, you may need to hire an
outside consultant or installation specialist for a few hours’
consultation or work to set up the VPN.

Four Main Steps

Because
Linksys is the most popular WAP maker, examples below refer to
Linksys products; your WAP’s instruction manual contains specific
How-Tos and instructions to do all the following. All brands provide
similar steps and menus, and all use the same terminology.

STEP ONE: CHANGE THE DEFAULTS

The simplest solution for a range of common problems raised by WAPs is to
change the default information on the WAP itself. This is
accomplished by opening a web browser and surfing to the IP address
of the WAP device.

First go to the Setup Page:

<li>
Change the Router Name<a class="sdfootnoteanc" name="sdfootnote11anc" href="#sdfootnote11sym"><SUP>11</SUP></a>.
    </li>
<li>
Change the last two fields in the WAP's Local IP address to
something other than what's there. Reasonable entries include
192.168.11.1 or 192.168.0.25. 
</li>

Next,
go to the Wireless Basic Settings Page. The Service Set Identifier
(SSID) is the name of the wireless network your users will connect
to. By default it is set to “Linksys.”

<li>
Change the SSID to something non-descriptive - not your firm's
name. While the concept of security through obscurity is not to be solely relied upon, choose for your SSID something obscure, like B3QXR25. 
</li>
<li>
Then, disable the SSID broadcast, so it won't be readily visible to
users who don't know that the WAP is there (though &quot;war-drivers&quot;
- people who drive around looking for Open WAPs - might see it.
Yes, there's a war-driving subculture). 
</li>

STEP TWO: CHANGE THE ADMINISTRATIVE PASSWORD

A hacker, using the default username of (nothing) and the default
password of “admin” can take over your WAP and lock you out. In the Administration page:

<li>
Set a new, hard-to-guess administration password, using at least an
eight character string which is not a word found in a dictionary,
and which comprises upper and lower case letters and numbers.</li>

STEP
THREE: ENCRYPT THE SIGNAL

Use
the best encryption method you possibly can, preferably WPA2 (see
sidebar). If WPA2 is not available, then deploy, in descending order
of preferability, either WPA or WEP. If you absolutely must use
WEP, use 128-bit encryption – which takes a bit longer to crack
than weaker versions of WEP.

STEP FOUR: VPN INTO THE LAN

You absolutely, positively may not allow access to your LAN through the
WAP except with the use of a VPN.

Because
the VPN’s authentication is vastly more secure than Wi-Fi’s and
encrypts all data between the client (that’s your notebook computer
or PDA) and the LAN, it helps ensure that anyone gaining access to
the LAN is authorized.

Written Policy

Anyone who has been granted remote access to your LAN must abide by
the written remote access policy. This policy must cover the remote
users’ notebook computers, PDAs and other mobile data devices; their
home LAN and any home computers, and any other machines which they
may use to access the company LAN.

The policy must be clearly posted in the firm, and discussed with all
remote users and staff. It must explicitly set forth rules governing
what employees may tell outsiders about your computers, your network,
your WAP and your security policies. It must be regularly reviewed.

For a sample written policy, see http://www.nickselby.com/wifi

Protect Home WAPs

Anyone granted permission to access the LAN via VPN must apply all
four steps above to their home or other remote WAP. This not only
protects your LAN, it protects personal data they store on their home
machines.

Current OS Patches, Anti-Virus, Firewall & Spyware Blockers

Anyone accessing the LAN must ensure that their device is updated
with the most recent security patches for their Operating System.

All machines on the LAN must run current versions of anti-virus
software with regularly updated virus definitions. Note that new
viruses are introduced every hour; “regularly updated virus
definitions” means at a minimum of once each week. It could be
argued it is reasonable to update every 24 hours.

Any
device accessing from outside the LAN must be running a
properly-configured firewall program such as Zone Alarm or Computer
Associates eTrust. The Basic Signal Set (BSS) is shared by all users of an AP; should the hotspot not block inner BSS connections, and you should assume it is not blocked, then if you connect to that AP and you are not running a firewall, a malicious user can gain access to your machine and install software or remove files from your hard drive. If you’re not encrypting your e-mail, it (and your password and username) can be very, very easily captured and viewed in plain text by others on the Hotspot –
unless you’re encrypting your email through a VPN, or an encryption
program such as PGP.

Always
assume that others can see you on a Hotspot. Make sure you have a firewall running, and anything
you care about – such as email or confidential files – is encrypted
across a tunnel.

Call
For Discussion

As when you access a Hotspot, you’re always looking for the balance
between ease of access and loss of security. The best we can do
is educate people about the upside and downsides of using WAPs, and discuss ways to protect yourself so that your information remains reasonably secure.

As I mentioned earlier, this is all very new. The proposed standard
is a first step towards reducing the likelihood that your LAN will be
compromised, or your Internet connection abused. In order to further
this recommendation and develop a final specification, I welcome your
comments.

Ian Sacklow, the founder of the Capital District Linux Users Group and
Information Systems Manager for Dodge Chamberlain Luzine Weber
Associates, an architectural firm with offices in East Greenbush,
Plattsburgh and Jericho, New York, co-authoried this white paper.

Members
of the Capital District Linux Users Group contributed technical
information and fact checking for this article.

<p><a class="sdfootnotesym" name="sdfootnote1sym" href="#sdfootnote1anc">1</a>
Wi-Fi is short for &quot;Wireless Fidelity,&quot; the nickname for a
wireless area network (WAN) complying with IEEE 802.11
specifications. Wi-Fi&reg;
is a Registered Trademark of the Wi-Fi Alliance. 
</p>

<p><a class="sdfootnotesym" name="sdfootnote2sym" href="#sdfootnote2anc">2</a>Of
course as the state of the art changes, so must any standard be
updated.</p>

<p><a class="sdfootnotesym" name="sdfootnote3sym" href="#sdfootnote3anc">3</a>One
can extend this range in a variety of ways, all fairly technical.
300 feet is the default, stock range without modification, and
therefore the range I discuss here.</p>

<p><a class="sdfootnotesym" name="sdfootnote4sym" href="#sdfootnote4anc">4</a>On
a network, a &quot;Trusted&quot; user is given access to sensitive
files. An &quot;Untrusted&quot; user may be granted access to
certain parts of the network, but not to areas containing sensitive
data. 
</p>

<p><a class="sdfootnotesym" name="sdfootnote5sym" href="#sdfootnote5anc">5</a>
New York Lawyer's Code of
Professional Responsibility , DR
4-101 [1200.19] 
</p>

<p><a class="sdfootnotesym" name="sdfootnote6sym" href="#sdfootnote6anc">6</a>
 District of Columbia
Ethics Opinion 303, February 2, 2001</p>

<p><a class="sdfootnotesym" name="sdfootnote7sym" href="#sdfootnote7anc">7</a>
 Delaware State Bar Association Opinion 2001-02
</p>

<p><a class="sdfootnotesym" name="sdfootnote8sym" href="#sdfootnote8anc">8</a>
 New York Penal Law Section 156.05</p>

<p><a class="sdfootnotesym" name="sdfootnote9sym" href="#sdfootnote9anc">9</a>
 New York Penal Law Section 156.00</p>

<p><a class="sdfootnotesym" name="sdfootnote10sym" href="#sdfootnote10anc">10</a> id.</p>

<p><a class="sdfootnotesym" name="sdfootnote11sym" href="#sdfootnote11anc">11</a>You
change the Router Name to slow down would-be intruders. Router Names
provide enough information to attackers to obtain all default
information for that WAP. <a href='http://coffer.com/mac_find/' target='_blank'>http://coffer.com/mac_find/</a> is one
Website which provides lookups which match Router Names with
manufacturer and model number, linking to the manufacturer website
which lists that machine's default settings and password.</p>

---

Also in this series…
A proposal for Reasonable Wireless Security for law firms

A sample network access policy

Wifi encryption standards

“There’s nothing on my desk worth stealing”

…and free hotspots for all

---

We’ve noted recently that laptops are becoming ever more portable, holding more data and processing power than ever before, and rapidly replacing the enterprise desktop as a primary computing device. We also noted that along the way they are fast becoming a major point of security failure that enterprises must address.

That proved a timely assertion, especially now that the nation’s mainstream media is buzzing about the theft from a U.S. Department of Veterans Affairs (VA) employee of a laptop computer and CD-ROM containing personally identifiable information (PII) of at least 26 million veterans. It’s safe to say that the data loss and intellectual property theft associated with mobile laptops and storage devices is a hot topic. Veterans groups have filed a lawsuit against the VA in connection with the breach, seeking $26.5 billion in damages. This monetizes – perhaps for the first time on such a large scale – the problem.

Nearly 85 million records containing PII have been compromised since February 2005, when Alpharetta, Ga.-based ChoicePoint Inc. announced the loss to hackers of 145,000 records containing PII. Ten days later, another breach announcement was made, but this time the problem wasn’t hackers – it was butterfingers: Bank of America in Charlotte, N.C., announced that it had lost an unencrypted backup tape holding 1.2 million records containing PII. Not stolen or hacked… lost.

We reckon that 40% of those 85 million compromised records were lost not to evil hackers cleverly breaking through security or social-engineering credentials from unsuspecting employees, but instead to stolen or lost laptops, computers or backup tapes, or inadvertent emailing. This kind of data compromise is a national problem affecting everything from small business, to all sizes of enterprises, to government on every level. It’s also a massive opportunity because to a large extent, this problem can be reduced.

Compliant or secure?
Much marketing ink has been spilled around the word ‘compliance’ in the past couple of years. The term sometimes refers to compliance with state regulations, like California’s, New York’s and Connecticut’s regarding data breaches. But more often, it refers to compliance with federal regulations and industry guidelines, like SOX, HIPAA, the Federal Financial Institutions Examination Council, the Payment Card Industry Data Security Standard and other acronym-laden best-practices lists designed to introduce more accountability and technical oversight into the worlds of enterprise and government data.

The ChoicePoint announcement rang in de facto national compliance with the California state law requiring notification of affected parties of a breach in security, confidentiality or integrity of unencrypted data containing PII. For each reported breach, press coverage intensifies. As identity theft becomes more common and better publicized, the consumer response to such data compromise has become angrier, which leads to still more media coverage. Data loss, which used to mean some bad PR if you got found out, now means an instant share price punishment, heaps of bad publicity and customer rage. Those are the three most significant drivers of enterprise adoption of security products.

The biggest immediate winners would seem to be mobile device security vendors. Companies like Bluefire Security Technologies, Credant Technologies, Mobile Armor, PGP Corp, Pointsec Mobile Technologies, SafeBoot, Trust Digital, Utimaco Safeware and WinMagic all offer products that encrypt sensitive data on enterprise mobile computing and storage devices.

Mobile device security
For the past several years, vendors in the mobile device security space have been hollering their heads off about just these issues. Mobile device security in this case boils down to the ability to encrypt sensitive data on the hard drive and removable media of any device or storage media capable of being carried out of the enterprise.

That’s a sensible enough goal, and unlike the case with intrusion detection or edge defense, most people can intuitively understand it. In this space there are religious differences – a constant discussion over whether it’s best to encrypt every single bit that hits the hard drive, or selectively encrypt only the data deemed by some policy to be ‘sensitive.’

And there are logistical challenges. Think of how many devices are capable of taking a walk with 60,000 or 6 million records, and your thoughts would have to extend to laptops, mobile phones, CDs and DVDs, USB flash storage drives and mass storage devices like iPods, MP3 players, digital cameras and the like, plus backup tapes, external hard drives and tape drives… There’s a pretty long list.

Most, if not all, of the vendors in this space build in some kind of remote-destruct feature to thwart Fred from Purchasing from absconding with the company sales list: The device typically phones home on boot and gets instructions, or checks in when connected to the Internet. This is all useful stuff of course, but the main concern most people have is whether disks can go on a walkabout without endangering the customer data and the company’s reputation.

The reason we say that vendors in this space will benefit from the recent events far faster than those in others (such as, for example, database protection, storage encryption and key management and the worlds of intellectual property loss prevention) is because the technology is simple, fairly cheap and can be deployed on what you have now.

It’s a fairly easy purchase that the enterprise doesn’t have to live with forever – the technology on which it is deployed, often a laptop or handheld, will almost certainly be replaced in three to five years (as opposed to a database protection system, which would be expected to last longer, or storage encryption and key management system, which would be expected to last until the end of time, or at least a decade). Also, mobile devices are frankly the most likely to be lost or stolen or otherwise compromised – like when an employee is fired and ‘forgets’ to return it.

Vendors
Partial disk encryption sets aside areas of the disk to be encrypted, and/or examines content to determine by policy whether the information is sensitive. And these days, products from companies like Bluefire, Credant and Trust Digital offer extremely granular controls over what sensitive means, including encryption of all data from certain applications, data containing patterns (such as Social Security and credit card numbers) and other triggers. Whole-disk encryption encrypts everything on the disk. The arguments against this are as numerous as those for it and revolve around restoration of system files and re-provisioning without destroying all the data. Mobile Armor, PGP, Utimaco’s SafeGuard Easy and WinMagic all offer robust whole-disk encryption products.

All these vendors offer controls, from basic to fairly sophisticated, to ensure that data saved to removable media of any sort is encrypted. This stops short of products from M-Systems, which place an agent on Windows machines preventing all but M-Systems hardware-encrypted USB drives from being mounted by the computer, and requires all data stored on the removable media to be encrypted; a central management system handles provisioning, remote-destruct, lost passwords and other features. Safend, GFI Software and other companies have less granular systems that provide control of all external media devices as well.

Opportunities
Compliance – in this case, compliance with best practices that result in your enterprise’s name not featuring prominently in the national media – is the key driver for these technologies, and the sky is the limit. The terabytes of data just floating around unencrypted on removable media only scratches the surface of the problem. That special report we published on mobile laptops as desktops points out that mobile laptop deployment already outpaces that of desktops. After the third loss of a laptop in a year (resulting in the compromise of at least 280,000 records), Ernst & Young is said to be looking into an enterprise-wide encryption policy. More of those will be forthcoming in the immediate future. And the mobile security vendors will try as hard as they can not to say "We told you so."

It’s a holiday nightmare: your child, found tearfully tugging at the skirts of a grinning theme park employee, has ratted you out as the parents that lost him.

As hundreds of university students in air conditioned fur character suits have your description, the net closes in. Goofy’s speaking into his wrist and pointing at you!

Now you’ve got to face dozens at the dreaded Guest Relations, where you collect your wayward child and sheepishly explain that, “I only turned my back for a SECOND!” For families and groups of even two visiting American theme parks or malls, Walkie Talkies on the new US Family Radio Service can be a Godsend.

A new range of inexpensive handheld radios operate on the FRS, a set of US radio frequencies that are available to users without an FCC license. Hand-held CB radios, while powerful, couldn’t provide a traffic-free channel, and carrying a roaring pocket full of “good buddies” through the Magic Kingdom just didn’t seem practical.

So radio manufacturers Motorola and Radio Shack made the FCC a deal: loosen restrictions on the airwaves, and they would produce low-cost walkie talkies that would allow friends and families to communicate. Say, across the wilds of a theme park, shopping mall, park or forest.

The FCC passed the Family Radio Service act in 1995, clearing the way for Motorola, Radio Shack and other manufacturers to produce some of the coolest little handheld radios on the market.

Motorola’s main entry, selling at around US$89 a piece in shops (but listed as $129 by Motorola), is the neon-colored TalkAbout: very colorful and retro-modern looking (think Buck Rogers) two-way radios with a range, they claim, of up to two miles.

Radio Shack’s 2-Way Personal Radio models, which are actually built by Motorola and cost about the same as the TalkAbout, look somewhat more Mission Impossible. They’re clumsily marketed, but the Radio Shack models, along with FRS walkie talkies from companies including Kenwood and Midland, are very good products with just about the same technical specs as the Motorola branded models.

I recently took the Motorola radios on a little trip through Walt Disney World, the Sawgrass Mills Shopping Mall, the Kennedy Space Center and the entire state of Florida, and the Radio Shack radios through Orlando. I’m happy to report that when you’re in the theme parks or on the same floor of a mall, these things are absolutely fantastic.

Plop! One shortcoming was that despite the rugged looking case, the TalkAbout is by no means waterproof. While planning our day poolside, I read with interest the TalkAbout manual, which said, “Water Resistant…” and before I finished reading the sentence I tossed the little yellow box into the pool, expecting it to float.

I have never seen something sink so quickly.

I dived in after it, and when it surfaced, I turned the power switch on. It made the most pathetic electronic noise since R2D2 was deactivated: Beeeeeewooop. After an hour with a newly-bought six-point star socket wrench and a hair dryer, I’m happy to report it worked as good as new.

“Water resistant”, apparently, means it can be rained on lightly. Tempting as it may be, don’t expect the thing to work under water unless it’s in a waterproof plastic bag.

Vowing to use it only as intended, my wife Corinna and I set out for Orlando and the theme parks.

Disney
The thing to remember is that the range conditions stated on the box are optimal – as in, optimally you’ll use it at night, at sea level, with clear skies, and in Tahiti.

The actual range we found was just about a mile, which is perfect for, say, the whole family in the same Disney park. Across the Magic Kingdom, we were able to communicate perfectly, making this a natural for parents to let their kids run off with one radio while they keep the other.

We did a range test, with my wife on the monorail to Epcot. We were able to hear each other only for a little while before her comments became just about,

“Im gzzrbth with baazrrrb CRACK Epcot”

But within the parks themselves, the radios functioned absolutely as promised. We even had no interference – our own private channel – despite the sight of about seven or eight other families in the area using their FRS radios.

That’s because all brands of these radios allow you to broadcast subaudible tones which effectively multiply the available channel sets tremendously: there are 14 channels and 38 subtones from which to choose.

The Radio Shack model worked great throughout the Belz discount outlet mall. We had some fading in and out, but could always hear each other.

Since specs are all very similar, your choice is really which one you like best or, more likely, which one’s cheapest at the time you;re shopping for them.

The TalkAbout and TalkAbout Plus, while not water resistant, are certainly rugged, and stood up to drops and bumps. We saw a kid at the Kennedy Space Center kicking his radio and then speaking on it. The manual didn’t mention anything about this but I assume it is not recommended.

The best place to buy the radios – whichever brand you decide on getting – is in the States, where the prices are better than in Europe. They’re sold at many electronics shops, all Radio Shack locations and in ham and commercial two way radio shops. You can also buy them over the internet, and have them delivered to your hotel in the US, saving on international shipping and import duties.

Motorola’s website is www.motorola.com. Radio Shack’s website is at http://radioshack.com. Midland and Kenwood FRS Radios are available through Northern Mountain, www.northernmountain.com

The future is wireless, or at least that is what Nokia, Ericsson and a host of startups and network operators are earnestly hoping. But the quick success of 3G – The Third Generation of mobile telephony – is more than profitable icing for these companies; it has now become a matter of survival….

This article, which ran in the February, 2001 issue of Tornado Insider magazine, looks at the overall climate in European development of 3G, and then explores how each of Europe’s largest telecom networking manufacturers, Ericsson and Nokia, is coping with the challenge.

…………………………………………………….

In the main lobby of Nokia House, a wood-steel-and-glass curiosity in the Finnish city of Espoo, is an impromptu cell-phone museum. In it, alongside all the sexy phones that rocketed the Finnish manufacturer to No. 1 in handsets, we viewed the suitcase-sized Mobira Talkman “portable” cell phone all the yuppies were buying in 1986.

For all its prescience in handset design and user habits, no one knows better than Nokia how difficult it is to predict future trends. Painfully aware of industry missteps earlier in the 1990s, Nokia discusses 3G with a reverence, and makes predictions about “classes” of applications and “styles” of usage.

But it won’t predict specific applications that will emerge as killers. The logic is cunning: Predict the next SMS? Thanks, no. But it will hot-house every person with an idea for an application, maintain an open API (application program interface), provide technical details to everyone, and market support to the successful few. Now there’s a situation in which Nokia doesn’t care what the next big thing is, because in theory at least, it will already have it under its wing.

“Nokia’s approach is absolutely that,” says Mika Koskinen, CEO of Entirem, which develops a secure wireless transaction platform for banks and portals in cooperation with Nokia. “The general impression is: focus very strongly on our core business, and don’t then get too heavily involved with third parties, at least at the early stages.”

For startups, this is great news. “It’s impossible for us to define the killer apps,” says Mikko Pyykka, Nokia’s 3G application marketing manager, “so we just need to cooperate with a large number of developers. But we think that at the end of the day the real killers will be somehow related to messaging.”

Messaging is what Nokia says will be the main application when it comes to revenues for 3G, and it, like Ericsson, farms its developer community for the latest and greatest. But unlike Ericsson, Nokia seems to be cut-and-dried about the application developers in the overall food chain – they’re valued, to be sure, but they’re outsiders.

During the Sydney Olympics, MobileChannel.Network set up a one-way messaging system for Nokia to provide sport content services. MC.N now cooperates with Nokia on a number of levels. “We did some basic business studies with them,” says MC.N’s Janne Makinen.

“It’s kind of a two-way development cycle. They give us technical access and early releases of new products for us to develop new versions of our product, and we give them feedback of how things work. They also give us a live environment in which to test our solutions before we go to operators.” Makinen says he believes that Nokia’s involvement will play a significant role in MC.N’s development as a company, creating a need for MC.N products by delivering Nokia’s goal of a complete end-to-end system, from network to handsets to applications.

Another Nokia developer is Genimap (formerly Karttakeskus), which began cooperation with Nokia in 1996 when it released its first Communicator – Nokia’s hinged-brick PDA, aimed at the high-flying business and “poser” crowd (that’s Nokia’s own internal market-segment term). The first mapping products were popular address finders; the user entered an address and was served a digital map.

“There are different levels of cooperation,” says Mikko Salonen, CEO of Genimap. “In the beginning, it was very important for us to get cooperation on development tools – how to make WAP-based applications, and so on. Nokia gave us technical papers and documentation, but there was also a two-way exchange of technical information – we also gave our ideas to them and shared our views.”

Currently, Genimap is working with Nokia to develop location-based services such as “turn-left, turn-right” maps complete with street-level content. But Salonen stops short of saying that his company’s relationship with Nokia has changed his life. “The relationship has accelerated our business plan, and they are important for us, but I’m not willing to say this is so very extraordinary or different – they’re just a partner,” he says.

Nokia likes it that way. “In some cases, as with customer-specific services tailored and run for one operator, we might have an exclusive,” says Nokia 3G strategist Ilkka Pukkila, “but we would never go with one single application provider, for example rich SMS. Our strategy is to give operators as much choice as we can, but to offer value added – such as with the interplay between applications, like adding theater tickets to your datebook. We control the platform, and integrate the applications to suit the specific needs of the customer.”

Pukkila says very soon you and I will use our “personal trusted device,” a kind of handheld multimedia terminal to buy a Big Mac. Why would we ever buy a burger with the phone? Pukkila points out that is the wrong way of thinking. “You wouldn’t want to do it just out of the blue. But, for example, McDonald’s will have its own 3G wireless LAN in the restaurant, and when you walk in, you’d get, for example, messages about specials, which you could buy with your phone. And while you ate, you could view McDonald’s content. Or you could pre-order and pick up your paid-for meal with no waiting when you arrived,” he says.

To Nokia, it would seem, development of these kinds of applications will for the foreseeable future be left to the third parties, allowing Nokia – and McDonald’s for that matter – to pick the best of breed of every single app it buys. In fostering this climate, Nokia will likely never again have to say that the latest hot thing just never appeared on its radar.

In concentrating on the network vendors’ efforts to develop applications, we leave un-discussed, for now, the solidity of the model of UMTS as telecom savior. This could be far from certain. Industry analysts, notably those within Forrester Research, have been increasingly pointing to flaws in the revenue models the telecom operators are banking on. “There’s no killer application. There is no such thing. Let’s go for a killer environment. We don’t want to be bound by specific applications.”

This quote, from an executive at a European mobile operator, was featured in Lars Godell’s January Forrester report on the future of UMTS, which the report called “a survival question.”

“Of course it makes more sense for the equipment manufacturers to do the lion’s share of the application hot-housing,” Godell told Tornado-Insider, “But every operator must also have an open mind, to nurture niche and local applications developers as well as creating strong local partnerships.”

Forrester remains skeptical that, even with the hottest applications, incumbent European mobile operators as we know them today will survive the shakeout. Forrester predicts that by 2011, impending pressure from the network vendors to upgrade again to 4G technology will fuel a desperation to reach profits from UMTS amid an environment of saturated subscriber markets, continued spending on marketing and network upgrades and declining average revenue per user (ARPU).

Could it be that eventually the network vendors end up swapping gear for equity to bail out operators? Will forced consolidation result in the death of all independent operators and allow the survival of only the largest pan-European players?

Other analysts say that the Forrester report is overly gloomy and that it does not take into account the improved capital efficiency of investment in 3G as compared to 2G. But most agree that evolution, and indeed consolidation is not an unlikely prediction. “The shape of the mobile communications industry has not stopped evolving,” said Peter Knox, a telecom analyst at Commerzbank Securities, “and consolidation is probably a likely result.”